[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: RO CP root exploit
From: fjlj () wvi ! com
Date: 2005-07-30 8:41:57
Message-ID: 20050730084157.27560.qmail () securityfocus ! com
[Download RAW message or body]
effects
all versions of ROCP on an apache based system
how it is done
first of all i was testing on my friends ragnarok server witch uses ROCP Version \
4.3.4a on an apache based system and so i was stunmling through various files i \
shouldnt have access to such as http://server.com/CP/account_manage.php this file \
will bring up a list of users and passes but of course i got ACCESS DENIED so i \
looked at its source on my machine and saw that it uses \
CHECK_AUTH($_SERVER['PHP_SELF']); to check the auth so then i tried
http://server.com/CP/account_manage.php/login.php
(login.php is of course the login page and is open to guests) and all of a sudden i \
had access to account_manage.php due to the way apache handles this string. and then \
i had ever account name and un encrypted password. as well as this site i had acess \
to every site i wasnt supposed to such as privileges.php/login.php or \
char_manage.php/login.php and then i could search for my character and click edit and \
i would get access denied but then in the address bar i see that it tried to goto \
char_manage.php/char_manage.php?search=user so i changed it to \
char_manage.php/login.php?search=user and bingo
how to fix this
instead of using
CHECK_AUTH($_SERVER['PHP_SELF']);
try using something like
CHECK_AUTH(substr($_SERVER['SCRIPT_NAME'],4));
or
check_auth("pagename.php");
or simply
echo (substr(__FILE__,12));
thanks
VaLiuS
AKA
FJLJ
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic